haltingproblems.com via Reddit

LiteSpeed cPanel flaw gives any user root access

cybersecurity critical-cve privilege-escalation active-exploitation

Key insights

  • CVE-2026-48172 lets any cPanel account execute root-level scripts via lsws.redisAble with no admin credentials on LiteSpeed plugin versions 2.3 to 2.4.4.
  • CISA's three-day federal patch window from May 26 to May 29 is one of the shortest deadlines ever issued under the KEV catalog framework.
  • Shared hosting amplifies the attack surface: a single unpatched LiteSpeed server can expose thousands of independent tenant sites to root compromise.

Why this matters

A CVSS 10.0 privilege escalation in shared hosting infrastructure multiplies risk by every tenant site on any unpatched server, creating a supply-chain-style exposure for organizations that outsource web hosting without auditing the underlying plugin stack. The three-day federal patch window signals CISA's judgment that active exploitation is accelerating fast enough that the standard seven-day window is operationally inadequate. For technical leaders and founders running workloads on shared or managed hosting, this is a concrete demonstration that third-party server plugins represent a blind spot in vendor security programs, and that plugin patch cadences can lag real-world threat timelines by weeks.

Summary

A perfect CVSS 10.0 flaw in LiteSpeed's cPanel plugin is being actively exploited across shared hosting environments, and CISA gave federal agencies just three days to patch after adding it to the KEV catalog on May 26. The mechanism is blunt: any cPanel account holder can abuse the lsws.redisAble function to execute arbitrary scripts as root. No elevated credentials needed, no complex exploit chain required. Essentially: (LiteSpeed, CISA) are managing a maximum-severity privilege escalation that any tenant on a shared server can trigger without special access. - Affected versions span 2.3 through 2.4.4; the patched release is 2.4.7. - The May 29 federal deadline is among the shortest patch windows CISA has ever issued under BOD 22-01. - Shared hosting multiplies the blast radius: one unpatched server can expose thousands of tenant sites simultaneously. Because the fix sits with hosting operators rather than site owners, most affected sites will remain exposed until their provider acts, well after the federal deadline passes.

Potential risks and opportunities

Risks

  • Shared hosting providers running unpatched LiteSpeed stacks past May 29 face mass tenant compromise with breach notification obligations potentially spanning thousands of customers per server.
  • Federal agencies that miss the BOD 22-01 May 29 deadline face formal compliance exposure, and CISA could escalate with binding operational directives affecting procurement and funding.
  • Site owners on affected shared hosts have no direct remediation path and remain exposed indefinitely until their provider patches, creating a liability gap that hosting SLAs typically do not cover.

Opportunities

  • Web application firewall vendors (Cloudflare, Sucuri, Imperva) can deploy virtual patches for CVE-2026-48172 within hours, giving hosting operators a credible bridge while scheduling plugin upgrades.
  • Managed WordPress and application hosting providers with automated patch pipelines (WP Engine, Kinsta, Pantheon) gain a concrete differentiation argument over commodity shared hosts that move on slower maintenance cycles.
  • Vulnerability management and attack surface platforms that track third-party server plugin versions across hosting environments (Qualys, Tenable, Wiz) have a timed upsell moment as operators scramble to inventory LiteSpeed deployments before the federal deadline.

What we don't know yet

  • No public attribution for who is driving the widespread exploitation campaigns -- no threat actor group has been named in CISA's KEV entry or in LiteSpeed's advisory.
  • Whether LiteSpeed plugin versions older than 2.3 carry the same lsws.redisAble exposure, or whether legacy deployments below the stated range were separately audited.
  • The timeline between when 2.4.7 was released and when active exploitation began -- unclear whether the patch preceded or followed the onset of in-the-wild attacks.

Originally reported by haltingproblems.com

Read the original article →

Original headline: CISA Adds LiteSpeed cPanel Plugin CVE-2026-48172 (CVSS 10.0) to KEV — Root Privilege Escalation Actively Exploited, Federal Patch Deadline May 29